1. Jumping application (18) 
starts run ning on first com- 

2. Jumping application is 
commanded to move to sec- ^ — — 
ond computer ^ ^ 




/ 
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6. Jumping application con- 
tinues moving between com- 
puters until its tasks are done. 



/ 




4. Jumping application is 
commanded to move to 
third computer 



3, Jumping application re- 
sumes execution on second 
computer 



Figure 1 




5. Jumping application re- 
sumes execution on third 
computer 



1. Salesman fills out 
expense report form, 
then clicks "OK 
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2. Form sends itself to 
manager for approval s 

/ 

/ 




5. Salesman 
makes correc- 
tion, clicks 
w OK n 



3. Manager re- 
views form and 
finds a problem, 
clicks "Return 




4. Form sends 
itself back to 
salesman for 
update 



/ 



6. Form returns 
itself to manager 



7. Manager ac- 
cepts form and 
clicks "OK" 



9. Form updates 
employee's 
records in compa- 
ny database 



8. Form sends itself to* x 
Admin department 
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10. Form sends itself to 
Finance department 



1 1. Form notifies accoun- 
tant, who cuts a check 



Figure 2 
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' Host 1 " 

1 . Jumping app 
begins execu- 
tion on Host 1 
then is dis- 
patched to 
Host 2 
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Not trusted to 
transmit code to 
other hosts. 



2. Host 1 is un trusted, so 
system simply strips all 
code from the jumping 
application 




5. Jumping app 
resumes exe- 
cution on Host 
3. Any missing 
code must be 
supplied from 
somewhere 

Host 3 



4. Host 2 is trusted, so 
system allows all code 
to propagate with the 
jumping application. 



6. etc. 



Trusted to transmit 
code to other hosts. 



Host 2 

3. Jumping app 
resumes exe- 
cution on Host 
2. Any missing 
code must be 
retrieved from 
somewhere 

y 
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Figure 3 



Please provide 
report" behavior 
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Host 1 

1 . Jumping app begins 
execution on Host 1 



2. Host 1 describes the 
requested behavior to 
the security system. 

3. The jumping applica- 
tion is dispatched to 
Host 2. 




Security System 
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4. System replaces 
any code pro- 
vided by Host 1 
with its own code 
to provide 
"expense report" 
behavior. 




Host 2 

5. Jumping arrives at 
Host 2 

6. Jumping app foutrve* 
execution, using code 
supplied by system. 
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Figure 4 
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r 



HOST 1 
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HOST 2 



HOST N 



FIG. 4N 



5S 



CPU 



!3S 
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1 MOBILE APPLICATION CONTROLLER §Q 




SECURITY 
MODULE 



(MO 
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DATABASE 
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COMMUNICATIONS 
MODULE 



1 J 



) 



Host 1 
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Management 
and Security 
Console 



Host 5 
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Figure 5 



HosM 

2. Host queries MaSC for 
descriptions of available- 
programs. 



3. Host specifies by descrip- 
tion which program to 
download from the MaSC.^ 

5. Host instantiates jumping 
application using down- 
loaded program. 

6. Jumping application is 
dispatched to Host 2 
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J 



Host 2 

9. Jumping application 
arrives at Host 2. 

10. Jumping application 
resumes execution, using 
code supplied by MaSC. 
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Management and Security Console (MaSC) 

MaSC holds list of known safe programs, with 



Description 


Executable Code 


Demo 


foift=0;i<10) 
do{getIt()}; if(i=7)... 


^ Expense Report 


public void main(int x) 

{ do... / 


System Management 


class sysnigmt{ 
void doItQ... 



4. MaSC records 
description of 
program sent to 
Host 1. 



8. MaSC inserts its own 
code, based on descrip- 
tion saved in Step 4 
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7. MaSC removes 
unsafe code from 
jumping application 



; 

100 



Figure 6 



